OpenBSD Journal

y Potential Buffer Overflow in lprm

Contributed by jose on from the right-before-the-release! dept.

Todd Miller has posted a message to security-announce about a possible buffer overflow in the program lprm(1). From his email:
A bounds check that was added to lprm in 1996 does its checking too late to be effective. Because of the insufficient check, it may be possible for a local user to exploit lprm to gain elevated privileges. It is not know at this time whether or not the bug is actually exploitable.

Starting with OpenBSD 3.2, lprm is setuid user daemon which limits the impact of the bug. OpenBSD 3.1 and below however, ship with lprm setuid root so this is a potential localhost root hole on older versions of OpenBSD.

The bug is fixed in OpenBSD-current as well as the 3.2 and 3.1 -stable branches.

Thanks go to Arne Woerner for noticing this bug.

Patches for 3.1-stable are available ( patch 023 ) and 3.2-stable ( patch 010 ).

(Comments are closed)

  1. By Anonymous Coward () on

    hey people, I think it is not exploitable on 3.2-current because of gcc propolice stack protection, is it ?

  2. By Arrigo Triulzi () on

    For those who can't or won't upgrade (like me), you will be pleased to know that the 3.1 patch applies cleanly to the 3.0 source tree (probably because LPD has been around for a few years...).

  3. By Anonymous Coward () on

    can someone explain to me what happens as the team prepares for another release (say 3.3)? Is 3.3-beta if I just ran CVS to get "src" is that would I be getting? What about snapshots, those are taken from current, correct? If so, once the freeze starts is there no cutting-edge development tree until after the release of 3.3?

    I have RTFM, I just didn't find this part all that clear. THanks.

  4. By Anonymous Coward () on



Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]